Date: Thu, 9 May 2002 23:41:26 +1000 (Australia/NSW) From: Darren Reed <avalon@cairo.anu.edu.au> To: rob@robhughes.com Cc: stable@freebsd.org Subject: Re: ipfilter problem Message-ID: <200205091341.g49DfQil020438@cairo.anu.edu.au>
next in thread | raw e-mail | index | archive | help
> > Hi, > > > > I have FreeBSD-STABLE (4.6-PRERELEASE) From May, 1st and I cannot > > communicate with the host news.cis.dfn.de (neither nntp nor http, but > > only this host, others work). When I remove this ipf rule it works: > > > > block return-rst in log quick on isp0 proto tcp from any to any > > > > But with a prior version of STABLE or 4.5-RELEASE it worked. > > > > greets, > > Michael > > > > IPFilter was updated to 3.4.27. I had several rules that weren't having > any effect on the previous 3.4.20 version that suddenly "kicked in" > after the update. My guess would be that you experienced the same thing. In going from 3.4.25 -> 3.4.27, IPFilter became much more strict in how it allowed packets through for TCP connections. The side effect being that some packets which did match the connection now don't and will hit the "return-rst" rule above. If you do not use "flags S" with TCP "keep state" rules, packets which are not within the TCP window no longer will cause a new state entry to be made and will hit other TCP rules following (such as the return-rst above). I'm not sure it is a good site to test with: telnet news.cis.dfn.de 80 Trying 130.133.1.4... Connected to news.cis.dfn.de. Escape character is '^]'. GET / Connection closed by foreign host. 23:38:35.963084 10.10.10.10.11578 > 130.133.1.4.80: S [tcp sum ok] 1374076492:1374076492(0) win 8760 <mss 1460> (DF) (ttl 254, id 46871) 23:38:36.367016 130.133.1.4.80 > 10.10.10.10.11578: S [tcp sum ok] 786895874:786895874(0) ack 1374076493 win 49152 <mss 1412,nop,wscale 2,nop,nop,sackOK> (DF) (ttl 36, id 64119) 23:38:36.367801 10.10.10.10.11578 > 130.133.1.4.80: . [tcp sum ok] ack 1 win 9884 (DF) (ttl 254, id 46872) 23:38:37.763256 LCP 23:38:37.763340 LCP 23:38:38.373093 10.10.10.10.11578 > 130.133.1.4.80: P [tcp sum ok] 1:8(7) ack 1 win 9884 (DF) (ttl 254, id 46873) 23:38:38.777847 130.133.1.4.80 > 10.10.10.10.11578: . [tcp sum ok] ack 8 win 49152 (DF) (ttl 36, id 4560) 23:38:38.806748 130.133.1.4.80 > 10.10.10.10.11578: . 1:1413(1412) ack 8 win 49152 (DF) (ttl 36, id 4564) 23:38:38.833112 130.133.1.4.80 > 10.10.10.10.11578: . 1413:2825(1412) ack 8 win 49152 (DF) (ttl 36, id 4565) 23:38:39.186423 10.10.10.10.11578 > 130.133.1.4.80: P [tcp sum ok] 8:10(2) ack 1 win 9884 (DF) (ttl 254, id 46874) 23:38:39.540526 130.133.1.4.80 > 10.10.10.10.11578: . 1:1413(1412) ack 8 win 49152 (DF) (ttl 36, id 6060) 23:38:39.589375 130.133.1.4.80 > 10.10.10.10.11578: R [tcp sum ok] 786895875:786895875(0) win 0 (ttl 36, id 6235) As you can see, the closure is initiated by the remote end, not local. Hmmm, then again, it could be window scaling not working, but still, that the closure is initiated by the other end is sus, to me. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205091341.g49DfQil020438>